the problem could be as simple as On Tue, Apr 25, 2017 at 5:42 PM, Alasdair G Kergon <agk@xxxxxxxxxx> wrote: > On Tue, Apr 25, 2017 at 05:33:19PM -0700, Adrian Salido wrote: >> it's actually the data portion of the struct under a custom user ioctl >> where (param_kernel->data_size - minimum_data_size) < >> sizeof(param_kernel->data) >> Will update the patch to be clear > > Yes - but before updating the patch, we need to be clearer about the > requirements of the ioctl here. > agreed > Why are two different minimum data sizes used? > > If we let userspace send a truncated dm_ioctl struct, why are we not > returning the same truncated one? > > Is this the bug? > param->data_size = sizeof(*param); the problem happens everytime ioctl_flags & IOCTL_FLAGS_NO_PARAMS (ex. DM_DEV_STATUS_CMD) 1. param_kernel is allocated from stack and passed to copy_params 2. copy_params only copies up to param_kernel->data from user (param_kernel->data still contains stack contents) 3. in copy_params, since there are no params it will skip through and return param = dmi = param_kernel 4. that stale data is copied back to user -- dm-devel mailing list dm-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/dm-devel
